diff --git a/russh/Cargo.toml b/russh/Cargo.toml index 4974d15e..4c8dd2b3 100644 --- a/russh/Cargo.toml +++ b/russh/Cargo.toml @@ -9,7 +9,7 @@ license = "Apache-2.0" name = "russh" readme = "../README.md" repository = "https://github.com/warp-tech/russh" -version = "0.44.0" +version = "0.44.1" rust-version = "1.65" [features] diff --git a/russh/src/cipher/mod.rs b/russh/src/cipher/mod.rs index 1b5b2bff..a474c2da 100644 --- a/russh/src/cipher/mod.rs +++ b/russh/src/cipher/mod.rs @@ -246,7 +246,13 @@ pub(crate) async fn read<'a, R: AsyncRead + Unpin>( buffer.buffer.extend(&len); debug!("reading, seqn = {:?}", seqn); let len = cipher.decrypt_packet_length(seqn, &len); - buffer.len = BigEndian::read_u32(&len) as usize + cipher.tag_len(); + let len = BigEndian::read_u32(&len) as usize; + + if len > MAXIMUM_PACKET_LEN { + return Err(Error::PacketSize(len)); + } + + buffer.len = len + cipher.tag_len(); debug!("reading, clear len = {:?}", buffer.len); } } @@ -284,5 +290,6 @@ pub(crate) async fn read<'a, R: AsyncRead + Unpin>( pub(crate) const PACKET_LENGTH_LEN: usize = 4; const MINIMUM_PACKET_LEN: usize = 16; +const MAXIMUM_PACKET_LEN: usize = 256 * 1024; const PADDING_LENGTH_LEN: usize = 1; diff --git a/russh/src/lib.rs b/russh/src/lib.rs index 93ff1bd2..accfaeb0 100644 --- a/russh/src/lib.rs +++ b/russh/src/lib.rs @@ -221,6 +221,10 @@ pub enum Error { #[error("Wrong server signature")] WrongServerSig, + /// Excessive packet size. + #[error("Bad packet size: {0}")] + PacketSize(usize), + /// Message received/sent on unopened channel. #[error("Channel not open")] WrongChannel,